Fix crashes when decoding codepoints larger than 255. Fixes #2192

These codepoint references are now left intact. If necessary, it would be a trivial change to replace them with corresponding UTF sequences. Note that the previous code was decoding the character references recursively, which was probably not the intent.
2025-12-06 04:31:29 +00:00 · 2020-11-25 02:14:03 +00:00
parent 169d7e5a92
commit c00f054d3c
2 changed files with 13 additions and 20 deletions
--- a/4
+++ b/4
@@ -32,6 +32,10 @@ o [NSE][GH#2174] Script hostmap-crtsh got improved in several ways. The most
  identities that are syntactically incorrect to be hostnames are now ignored.
  [Michel Le Bihan, nnposter]

+o [NSE][GH#2192] XML decoding in library citrixxml no longer crashes when
+  encountering a character reference with codepoint greater than 255. (These
+  references are now left unmodified.) [nnposter]
+
 o [NSE] Script mysql-audit now defaults to the bundled mysql-cis.audit for
  the audit rule base. [nnposter]

--- a/nselib/citrixxml.lua
+++ b/nselib/citrixxml.lua
@@ -25,32 +25,21 @@ local table = require "table"
 _ENV = stdnse.module("citrixxml", stdnse.seeall)

 --- Decodes html-entities to chars eg. &#32; => <space>
+-- Note that only decimal references of ASCII characters are supported.
+-- Named and hexadecimal references are left untouched, and so are codepoints
+-- greater than 255.
 --
 -- @param xmldata string to convert
-- @return string an e
+-- @return string with XML character references replaced with the corresponding characters
 function decode_xml_document(xmldata)
-
-  local hexval
-
  if not xmldata then
    return ""
  end
-
-  local newstr = xmldata
-  local escaped_val
-
-  while string.match(newstr, "(&#%d+;)" ) do
-    escaped_val = string.match(newstr, "(&#%d+;)")
-    hexval = escaped_val:match("(%d+)")
-
-    if ( hexval ) then
-      newstr = newstr:gsub(escaped_val, string.char(hexval))
-    end
-
-  end
-
-  return newstr
-
+  return (xmldata:gsub("&#%d+;",
+                       function (e)
+                         local cp = tonumber(e:sub(3, -2))
+                         return cp <= 0xFF and string.char(cp) or nil
+                       end))
 end

 --- Sends the request to the server using the http lib